When working with SAML IDPs, it is currently not possible to use provider-specific features such as `login_hint` forwarding. The purpose here is to be able to automatically prefill an IDP login form with a given username.
For instance, this feature is supported by ADFS: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/a8622e66-2285-43c0-bbb9-abfcecdaed86
Here is the use case scenario we have to solve: https://groups.google.com/forum/#!topic/keycloak-user/hbTf_OyhFCA
- Considering `login_hint` is not part of the SAML protocol, this feature should not be used with incompatibles IDPs (e.g. a SAML client provider on Keycloak).
- By default, Keycloak's login form is not designed to include a login_hint in the destination url of SAML Social buttons. This must be made in a dedicated url builder and/or in a custom login template.
- This PR takes a query parameter named `login_hint` into account and forward it in the destination url of your SAML Identity provider.
- This parameter is sanitized and is added to the destination url as two query parameters named `login_hint` and `username`. When no login_hint is provided, nothing is forwarded.
- This does not require any change in the identity provider configuration, except enabling a "Pass login_hint" toggle, which is `false`by default.